Kafka authorization

If Kafka authentication (for example, Kerberos authentication or another simple authorization based on a user name and password) is disabled, users can access services with forged identities, even if Kafka authorization is enabled. Therefore, we recommend that you create a high-security Kafka cluster. For more information, see Introduction to Kerberos.

Note The permission configurations detailed in this section are for high-security E-MapReduce clusters only (Kafka is started in Kerberos).

Add configurations

On the Cluster Management page, click View Details next to the Kafka cluster.

In the navigation pane on the left, click the Clusters and Services tab, and click Kafka in the service list.

At the top of the page, click the Configuration tab.

In the upper-right corner of the Service Configuration list, click Custom Configuration and add the following parameters:

Key

Value

Description

authorizer.class.name

kafka.security.auth.SimpleAclAuthorizer

N/A

super.users

User:kafka

User:kafka is required. Other users can be added and separated by semicolons (;).

Note zookeeper.set.acl is used to set the permissions for Kafka to operate data in ZooKeeper. It is already set to true in the E-MapReduce cluster, so you do not need to add this configuration here. With the configuration set to true, only users named Kafka who have passed the Kerberos authentication can run the kafka-topics.sh command in the Kerberos environment. Kafka-topics.sh can read, write, and modify data in ZooKeeper.

Restart a Kafka cluster

On the Cluster Management page, click View Details next to the Kafka cluster you want to operate in the Operation column.

In the navigation pane on the left, click the Clusters and Services tab, and click Actions to the right of Kafka on the service list.

In the drop-down menu, select RESTART All Components. Enter the record information and click OK.

Authorization (ACL)

Basic concepts

Definition in official Kafka documentation:

Kafka ACLs are defined in the general format of "Principal P is [Allowed/Denied] Operation O From Host H On Resource R"

This indicates that the ACL process relates to Principal, Allowed/Denied, Operation Host, and Resource.

Principal: username

Security protocol

Value

PLAINTEXT

ANONYMOUS

SSL

ANONYMOUS

SASL_PLAINTEXT

If the mechanism is PLAIN, the user name is specified by client_jaas.conf. If the mechanism is GSSAPI, the user name is principal specified by client_jaas.conf.

For detailed mapping relationships between operations and resources, such as the supporting relationships between resources and the authorization of operations, see KIP-11 - Authorization Interface.

Authorization command

Perform authorization using the kafka-acls.sh script (/usr/lib/kafka-current/bin/kafka-acls.sh). For more information about how to use this script to authorize Kafka, run the kafka-acls.sh --help command.

Procedure

Complete the following operations on the master node of the high-security Kafka cluster you created in E-MapReduce.

Create a user named test.

useradd test

Create a topic.

zookeeper.set.acl is set to true, and kafka-topics.sh must be run under a Kafka account. The Kafka account must pass Kerberos authentication.